https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362100#M106970 <P>that works, thank you very much for the help</P> Fri, 11 Aug 2017 15:14:52 GMT YTKme 2017-08-11T15:14:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362094#M106964 <P>I was wondering if is possible to group / filter based on a single field. Below is a field called <CODE>user_agent</CODE> for browsers. I wanted to group similar browser type (Chrome, Firefox, Safari, etc), and count a total of each browser by date.</P> <PRE><CODE>Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv%3A54.0) Gecko/20100101 Firefox/54.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; WOW64; rv%3A54.0) Gecko/20100101 Firefox/54.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv%3A54.0) Gecko/20100101 Firefox/54.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv%3A54.0) Gecko/20100101 Firefox/54.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; WOW64; rv%3A38.0; GomezAgent 3.0) Gecko/20100101 Firefox/38.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv%3A11.0) like Gecko Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv%3A11.0) like Gecko Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv%3A54.0) Gecko/20100101 Firefox/54.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv%3A11.0) like Gecko Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 </CODE></PRE> Thu, 10 Aug 2017 18:14:56 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362094#M106964 YTKme 2017-08-10T18:14:56Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362095#M106965 <P>try this:<BR /> your search ... <CODE>|stats count(eval(like(user_agent,"%Chrome%"))) AS Chrome, count(eval(like(user_agent,"%Safari%"))) AS Safari, count(eval(like(user_agent,"%Firefox%"))) AS Firefox</CODE><BR /> screenshot:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3341i658304E2F419876E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>hope it helps</P> Thu, 10 Aug 2017 18:54:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362095#M106965 adonio 2017-08-10T18:54:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362096#M106966 <P>Try like this</P> <PRE><CODE>your base search with field _time and user_agent | rex field=user_agent "(?&lt;Browser&gt;Chrome\/\d+|Firefox\/\d+|Version\/[\d+\.]+\d+\sSafari)" | timechart span=1d count by Browser </CODE></PRE> Thu, 10 Aug 2017 19:12:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362096#M106966 somesoni2 2017-08-10T19:12:51Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362097#M106967 <P>this works, got the results i wanted, thanks a lot</P> Thu, 10 Aug 2017 21:52:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362097#M106967 YTKme 2017-08-10T21:52:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362098#M106968 <P>kind of a follow up question, when i try to put it in a visualization bar graph, it plotted the first column at the different axis than the rest of the columns, is there any way to plot all columns on the same axis on a graph?</P> Thu, 10 Aug 2017 22:17:04 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362098#M106968 YTKme 2017-08-10T22:17:04Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362099#M106969 <P>try to add by .... something<BR /> i added <CODE>... | by host</CODE> and the results looks fine </P> Fri, 11 Aug 2017 13:03:30 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362099#M106969 adonio 2017-08-11T13:03:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362100#M106970 <P>that works, thank you very much for the help</P> Fri, 11 Aug 2017 15:14:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-group-similar-fields-and-count-by-field/m-p/362100#M106970 YTKme 2017-08-11T15:14:52Z